Manually modifying `/etc/passwd` like this feel feels quite wrong to me. I understand that this is intended to be a lightweight fix that doesn't rely on extraneous system maintenance packages, but who is to day that any given Docker container is even configured to perform a lookup using `/etc/passwd`?

I think the root problem here is that Jenkins relies upon a shared volume model as the transport mechanism to get source into the contain, and the build artefacts back out. While this is arguably reasonable for the input vector (permissions of the files being injected can be left fairly open), we clearly see the problems when trying to get files back out.

Would a better approach be to decouple container workspace filesystem from the host, and implement an RPC mechanism to deliver the build artefacts back to Jenkins.

I believe GitLab CI does something similar with its job caching and artefact management, so running tasks inside the Docker container as root is not a problem.